Announcing new capabilities available in Office 365 Message Encryption

As part of our integrated information protection investments we are releasing rich new capabilities in Office 365 Message Encryption that protect and control your sensitive emails. These enhancements are aimed squarely at helping you better safeguard your sensitive email communications without hampering the ability for your users to be productive and to easily collaborate with those inside or outside of your organization.

At a high-level, the new enhancements include:

Helping you lower the risk of accidental or malicious data loss by making it easier for your users to protect and read sensitive emails.

Enabling non-Office 365 recipients of protected emails to read and respond with ease, regardless of the device, app, service, or identity they use to receive their email.

Additionally, Office 365 Message Encryption will support customer-managed keys, to help meet their compliance needs.

Please read below to understand more detail on what we are delivering and how you can get started.

What’s New

Helping you lower the risk of accidental or malicious data loss by making it easier for your users to protect and read sensitive emails.

In the previous version of Office 365 Message Encryption, users could encrypt their messages by using certain keywords in the subject line or in the body of the message. While this is a powerful feature for organizations to automatically encrypt sensitive emails, it presented a hurdle for end users that wanted to send ad-hoc encrypted messages.

Today, in addition to the automatic policies that can be set by administrators, we are empowering end users to encrypt and rights protect sensitive messages using the default ad hoc policy “Do Not Forward”, as well as other custom policies. End users can now apply encryption and rights protection from Outlook in a few clicks.

Example of an email being protected in the Outlook rich client.

Another area we’re investing in to protect sensitive data, is the ability to rights protect messages that are shared outside the organization for B2B and B2C scenarios.

Until recently, you could use Office 365 Message Encryption to send protected email to external recipients, but Office 365 Message Encryption presented a very different experience from Information Rights Management (IRM). In the new Office 365 Message Encryption, we are extending the feature to include the best of IRM, with the added benefit for the sender to not need to worry about anything before clicking Send. For example, we are eliminating complexity by removing the need to establish explicit trusts between organizations. Now users can easily send encrypted and rights protected messages to anyone inside and outside the organization. Additionally, this protection will be applied to the Office 365 document(s) attached to the message.

This makes it possible to not only protect sensitive data from being read by unintended audiences, but it also allows you to set usage rights, such as preventing the message from being forwarded, copied or printed.

Example of a protected email with an Office attachment that also has been protected.

Lastly, to further enable users to collaborate securely on protected emails, Office 365 users can get a seamless reading experience on any device if they are using Outlook (desktop, Mac, web, iOS or Android mobile). For those users who do not choose to use the Outlook app, we are also adding the ability for you—as IT—to enable other Exchange ActiveSync (EAS) mobile email clients, like the native Mail app on iOS, to receive and respond to protected emails.

Example of reading and sending a protected message from Outlook app on iOS.

Ensuring that recipients of protected emails can read and respond with ease, regardless of the device, app, service, or identity they use to receive their email.

Another investment we made was to enable users to read a protected message regardless of their email provider. Previously, Office 365 Message Encryption recipients had to read encrypted message with a Microsoft Account or a One-time Passcode.

Today, Gmail and Yahoo recipients can easily authenticate using their Google or Yahoo identity and sign in to a limited-time web view that allows them to read and collaborate on protected emails.

Example of the sign-in with Google page, where recipient can use their Google identity to read protected message in limited-time web-view.

Customers using less popular email providers can continue to use a Microsoft Account or a One-time Passcode.

Support for customer-managed keys

Regulated customers have expressed their provide customer-managed keys to the Microsoft cloud and having the ability to protect their mails using these keys. Exchange Online now supports a customer-managed tenant key for Azure Information Protection. Read here to understand how to set this up in Azure Key Vault.

How can I get this?

The new message protection capabilities is offered in Office 365 E3 and above for commercial customers and Office 365 A1 and above for EDU customers. We also offer this in several other plans with the appropriate add-ons - please refer to this table for more detail.

Get Started Today!

Customers should get started on these new capabilities that are available today! Please see resources below that can help you get started:

@Bob Fink it seems some of our old guidance wasn't updated. Actually, existing IRM/OME customers can also onboard to the new msipc based stack by simply running the cmdlets provided. Check out the documentation for the cmdlets. This updated guidance should be updated in the link above shortly if not already.

@Caroline Shin that worked! How do we setup a policy similar to Do Not Forward that it can apply to any recipients, but we want it to only encrypt the email? Would simply like to take advantage of the federation to the other providers for email encryption while not needing to restrict forwarding, copying, etc. Seems that if we use an IRM template, the receipients have to be predefined and the only other option is to use DNF, which is too restrictive for our use.

@Bob Fink Great to hear! WRT an encrypt only policy, right now we only support DNF (Do not forward) and custom templates but we plan to enable encrypt only in the coming months. Look for the update here on the TechCommunity.

How does this compare to OME as in, once the custom template function will allow the option for Encrypt Only, will this be considered a full replacement for the current 365OME – and use the same measures SHA256 etc (the user experience will be better! – but people will react to the change and assume it is less secure than the encryption portal you previously had to read messages in.) – I see the release for Encrypt Only in a template as you stated above is the coming months, does this have a roadmap ID?

The Protect button in Outlook – there were two shown in the video, one was from installing the AIP Client (blue padlock) and the other one shown in the screenshot at 31:27 – this is for a pre-release build it would appear, again does this have an rough expected release date and is it expected to be replacing the “Permission” button within Outlook?

Is there a plan to add the ability to send Protected messages from the mobile app?

1. You are correct. Once we enable 'encrypt only' it will be considered at feature parity (plus more) to the previous version of Office 365 Message Encryption. You can find details of the encryption standards used here. You should see the 'encrypt only' in the public roadmap very soon.

2. We plan on simplifying the Outlook experience to align with the actions that end users need to take to protect the email. The goal is to make this experience seamless and easy - like the way it is in Outlook web experience. We are actively working on this and will share a date when ready.

With regards to the old version of OME will that be deprecated in tenants if you are already using OME as we have built a solution using message classifications to trigger transport rules and we only want to encrypt. The DNF option currently doesn’t fit our organisations workflow.

But the introduction of this into AIP is brilliant.

one thing that I noticed was that we use one label to classify sensitive information. I tried to recreate this using AIP in a test tenant and the template would not show up in exchange for use in transport rules for use with DLP etc.

would adding the requirement for encrypt only template be an idea to put in the user voice platform or is it already in scope for development.

As a very small business, we currently only use Business Essentials and Business Premium, but we deal with some very sensitive client information which we should be sharing using encryption. Unfortunately, from everything I've read and the sales people I've spoken to at MS, data protection offerings such as the ones you've outlined here are geared towards big business / enterprises. What would you recommend for small businesses, who work under exactly the same data protection laws as major enterprise organisations, with regards encrypting emails and so on? The key for us is to keep it all as hosted, online solutions as part of O365 as we do not have our own IT department or infrastructure.

Really hoping you can help as despite lots of research I've not yet been able to come up with a workable, affordable solution.

@Caroline ShinGreat news on additional features! Now, as a MS Partner, maybe we can almost compete w/other solutions like ZixMail. However, I have a question - encryption is part of the Azure Information Protection, correct? If so, will anyone who has this add-on be able to use these new features or only E1 or E3?

For example, I have many customers with Exchange Online + Azure Information Protection P1 who are used to adding "[secure]" to the e-mail subject but it would be so much easier to simply click a button!

Although not the most seamless approach, will there ever be an option to have the receiver enter a password or pin to view an email (perhaps within Outlook only). I have tested these, and I did not find this very secure from the standpoint of a compromised Gmail or Yahoo account. It still seems that passing a key/pin/password/etc. to the user through an alternate means is still way more secure, simple, and trusted than what is described here. I am mainly concerned with sending emails to external accounts, not so much within an enterprise, which the solution in this article addresses very well.

I'm in the same boat as Oz and others. We are in a mixed environment of Business Essentials and Business Premium with Azure Information Protection Plan 1 added to each account for DLP and encryption. Will this be available to us? The price jump is basically doubling our monthly expenditure if we move up to E3.

@Caroline Shin, How does this affect the ability to conduct eDiscovery searches for keywords in messages? Occasionally customers have trouble locating a message that they have received or sent or maybe deleted and can only remember vague details, or we may be searching for messages that need a legalhold action based on content. My understanding is if a message is encrypted, the content will not be searchable unless the eDiscovery admin has access to the encryption keys (?)

As the encryption protocols are important for law firms seeking to both secure and locate data, I'd agree that Tony's query is an important and interesting line of thought. Looking forward to seeing the evolution of this important project.

@Oz Oscroft@Mark Nealley Thanks Oz, Mark. Agree encryption is business critical for businesses of all sizes. We do offer Office 365 Message Encryption outside of our enterprise SKUs. Check out this table here. For example you can see that we even offer OME for frontline workers (kiosk) but you'll need to add-on AIP P1 and if you want the Outlook desktop experience - you also need Office Pro Plus.

@Magnus Andersson Yes! This is offered as part of Office 365 A1 and above. Note that in A1 it doesn't include Office Pro Plus so you only get the Outlook web experience.

@Jason Martin that's great to hear! Here is the full table of where OME is offered - outside of EDU.

@Deleted we do enable recipients to sign in via One-time passcode and that passcode would expire after 15min but the passcode would be send to their Gmail/Yahoo account. While not seamless experience you *might* be able to enforce the recipient to access the protected message through Outlook.com/Microsoft Account only @Salah Ahmed to confirm.

@Tony Richardson@Matt NakachiWhether you rely Microsoft managed encryption keys or provide your own through BYOK with AIP, you continue to get the value added features in Office 365 such as eDiscovery, search, or even anti-malware/spam services. I recommend watching this webinar on why this is the possible and some common misperceptions in SaaS encryption. Do reach out if you're still unclear or have feedback on further content to clarify.

I set this up in my tenant, but when we use the templates to send an email outside the organization, the recipient cannot read the contents of the email. It says "You do not have permission to view this message". I looked in the Azure portal to see if there was something I need to change, but I don't see it.

@Salah Ahmedone thing to note that I haven't seen in the documentation; if you already had a logo previously setup you have to redo the configuration to get it to show up in all areas of the new experience.

There's no mention of how to configure custom templates when dealing with external non office 365 users. The "Do Not Forward" policy is nice, but we need a shorter expiration and no offline access. Is there any way to setup a template with a dynamic list of authorized users for use with external recipients?

Whilst we are waiting for OME v2 to have the Encrypt Only Functionality we are using legacy OME with exchange classification to trigger the OME Encryption.

But there is a use case issue in this scenario.

A recipient will reply to an OME encrypted Email - This comes back encrypted to our exchange we then remove OME encryption before delivery to mailbox.

The issue is that then the message has then lost its classification and any replies to the user are then not sent encrypted any advice in this scenario? As the senders within our organization will not remember to send the email encrypted.

Does this update resolve the problem for third-party archiving solutions (eg. Mimecast) that use journaling? So that the journaled messages' content would be available to be indexed by the archiving service?

It would be really nice to see the new OME capabilities replace the old message encryption in Office365 for ALL plans, specifically Business Premium. Lots of small companies have compliance needs addressed by this (like HIPAA) and they are going to find it hard to warrant the additional expense for what is essentially a "nice to have" functionality that makes the external customers experiences better. Even if ProPlus isn't included instead of the Business Premium Office suite, it would still be really nice for small shops to be able to use the OME features like the Google/Yahoo/etc federated login and branding of the email. Really, just provide those 2 features into every Office365 SKU. With the old encryption method and new OME it gets confusing to users and non-technical people to explain what you are using. Saying we use Office365 message encryption doesn't really cut it.

How can I disable encrypt only from apply rights management to attachments sent to other Office 365 users. I know how to have the attachment/email encrypted for non-O365 users but recipients with Office 365 have trouble opening attachments because "encrypt only" has applied rights managements to the attachment and it is not working. Can I disable automatically adding rights managements to attachments altogether when using Encrypt only?

What if I want the attachment to be shared? Wat if I do not want every attachment to be rights protected. Why is Microsoft assuming everyone wants that and not make it possible to remove IRM from attachments when encypting an email sent to other O365 users? There needs to be a setting to disable IRM to all attachments. This should be our choice and not forced upon us.

When I send an email with Encrypt Only from my Outlook 2016 to an external recipient, they get a link to the portal and can reply to my email. That's all fine and dandy but the reply I get in my Outlook 2016 is a link to the portal and not a decrypted message that can be followed in a communications thread and whatever reply I send through the portal is also not reflected in my sent mail in Outlook 2016, but comes as a cc: reply into my inbox with a new link to the portal. This can't be correct, I must have done something wrong when enabling AIP on our tenant, if not then it is useless when sending mail outside an O365 tenant organization.

this is fine and dandy but there is a lot of feedback with people like me unable to configure simple email encryption based on Auzre Information Protection it just doesn't work, there is a bug or something. I realize this is not Tech Support but I have a case opened for over a week now and no help, basically when we try to create a new Exchange mail flow rule based on

Apply Office 365 Message Encryption and rights protection to the message with... and then you are asked to select RMS template it says No RMS templates are available in your organization

yes we have a Rights Management license and yes we enabled it over 2 weeks ago

again there are many people like my company trying to figure this our, just Google it